DMARC reports are now way more useful

One of our most popular tools is the DMARC Weekly Digests we provide to anyone (for free!). We process the XML reports from major ISPs about your domain’s DMARC alignment, and turn them into easy-to-read weekly email digests (if you’re not sure how DMARC can help to monitor and secure your email, check out our DMARC Guide).

The problem is that DMARC reports can be difficult to understand — and it’s even more difficult to figure out what actions you need to take based on the information. The most frequent support question we get about DMARC reports is, “Should I be worried about this?”

So we decided to take our DMARC reports a step further. Instead of just showing you synthesized DMARC information, we now include helpful tips on how to address each of the possible issues you might see on the IP addresses that are sending on your behalf. In this post I want to provide a brief overview of the biggest changes we made to the report.

We used to group sending IP addresses by what we called “trusted” and “untrusted” sources. This created a lot of confusion. We now group domains a bit differently:

Your sources are IPs that we know belong to you based on various DNS checks we do.

Other sources are IPs that are sending email on your behalf, but we can’t verify that they belong to you. In general this isn’t something to be concerned about, but we also give you tips on how to make sure there is no malicious activity going on.

Instead of just telling you if SPF/DKIM passed or failed on your domains, we now also give you tips on what to do to address some common issues with DMARC alignment. In the example below, we know you are sending mail through Postmark, so we can give you very specific recommendations.

In scenarios where you don’t send through Postmark we still give you some general advice and documentation to help you resolve issues:

Another question we get a lot in support is, “Why is DKIM passing on this source I don’t recognize?” While it might be tempting to assume this is due to someone getting access to your DKIM key and spoofing your domain, odds are it is due to a more benign reason — email forwarding. We now include information about email forwards in the digests as well:

Some customers have DMARC policies set up to reject or quarantine emails from unknown sources (see our DMARC guide for more information on this). Your report will now show your current policy if you have one:

For those of you who are already signed up for DMARC reports, we’d love to know what you think about the new format. What other information would be useful? Is there anything missing for you? Just reach out to the support team with your suggestions.